The story that began with MasterCard and VISA warning of a serious data breach has accelerated this afternoon. We now know the name of the processor that was hacked: Global Payments.
As many as 10 million users of VISA and MasterCard may have had their card numbers compromised in what sources in the financial sector are calling a "massive" breach of Global Payments.
We published a story a couple hours ago that studies the broader lesson and impact, but in this post I want to share some of the comments that have been flooding my inbox this past hour. I should note that these are all security vendors who would love to sell you products to "protect" you from becoming the next Global Payments. Their comments are interesting and worth noting here, but please feel free to add your two cents in the comments section below.
"This is unfortunately reminiscent of the Heartland Payment Systems breach that started in 2007 and was finally discovered and disclosed in early 2009,” said Joe Levy, CTO of Solera Networks. “That one was estimated to have involved 130 million records, and Heartland later reported that the fines, settlements, and legal costs related to the breach totaled about $140 million. While details of target and scope are yet to emerge on this breach, it is estimated to have occurred sometime between January and February of this year, and to have involved some 10 million records including full Track 1 and Track 2 dump data. This allows the thieves to sell the stolen records for a higher price because counterfeit cards can be produced with this data. There's just no telling yet what the size and cost of this event will climb to.”
“Breaches are becoming more common -- almost every large enterprise has been breached and close to half of breaches involve an insider threat,” commented Eric Chiu, president & founder of HyTrust. “At the same time, virtualization has taken over the datacenter and is a core part of the cloud infrastructure that now hosts sensitive data. Without proper security controls in place for that virtual infrastructure, cloud environments are less secure than their physical counterparts -- a scary thought in the age of cyber threats and large data breaches. As more consolidation and transformations of datacenters continue, even greater care must be taken to implement proper security measures. A breach at a payments processor is millions of times worse than at a single merchant, given the massively larger amounts of data available in that one location.”
Mark Bower, data protection expert and VP of Voltage Security, said, "Alarm bells have been ringing loudly on these risks for years – payment processors are a top target for attackers. The top U.S. payment processors have already responded with data-centric security strategies, using end-to-end encryption from the merchant to the processor, data-centric encryption on back end systems, and tokenization for post-payment information protection. Five of the top US payment processors use Voltage to meet these risks. If there’s one industry that absolutely needs to adopt a data-centric security strategy to mitigate breach risk, it’s the payments industry. And the writing is on the wall for those payment acquirers that don’t. The PCI Council recognizes these risks, so it should be no surprise if an organization that relies on older perimeter security strategies is breached and lands on the front pages of newspapers.”
Mandeep Khera, CMO of LogLogic, said, "In spite of all the well publicized breaches in the past couple of years, hackers continue to launch attacks. We know that organizations are trying to put better security in place but obviously this is not enough. You can never achieve 100 percent security. But, raising the bar will help. Proactive security policies and monitoring of all transactions on a regular basis can make a world of a difference. The key now is for Global Payments to not only change their security policies but also make sure that these card holders are protected from other attacks like phishing or identity theft. Just offering a free credit report is not enough.”